hadoop生态的kerberos认证系列3-hbase
一、准备工作
停掉hadoop集群;
安装好kerberos认证服务;
二、hbase配置
1.修改hbase-site.xml文件
添加如下内容:
<property>
<name>hbase.master.kerberos.principal</name>
<value>root/_HOST@EXAMPLE.COM</value>
</property>
<property>
<name>hbase.master.keytab.file</name>
<value>/usr/data/kerberos/keytab/root.keytab</value>
</property>
<property>
<name>hbase.regionserver.kerberos.principal</name>
<value>root/_HOST@EXAMPLE.COM</value>
</property>
<property>
<name>hbase.regionserver.keytab.file</name>
<value>/usr/data/kerberos/keytab/root.keytab</value>
</property>
<property>
<name>hbase.security.authentication</name>
<value>kerberos</value>
</property>
<property>
<name>hbase.rpc.engine</name>
<value>org.apache.hadoop.hbase.ipc.SecureRpcEngine</value>
</property>
<property>
<name>hbase.coprocessor.region.classes</name>
<value>org.apache.hadoop.hbase.security.token.TokenProvider,
org.apache.hadoop.hbase.security.access.SecureBulkLoadEndpoint,
org.apache.hadoop.hbase.security.access.AccessController</value>
</property>
2.修改habse-env.sh文件
添加或修改如下:
export HBASE_OPTS="$HBASE_OPTS -Djava.security.auth.login.config=/usr/local/hbase/hbase-1.4.13/conf/hbase-jaas.conf"
##另外若是原先安装hbase时,未配置的话,请加上以下内容(尤其是后面的指向hadoop路径,若未指向hadoop,则会在启动时报错):
export HBASE_MANAGES_ZK=false
export HBASE_CLASSPATH=$HBASE_CLASSPATH:/usr/local/hbase/hbase-1.4.13/conf:/usr/local/hbase/hbase-1.4.13/lib:/usr/local/hadoop/hadoop-2.7.4/etc/hadoop
3.新增hbase-jaas.conf文件
新增/usr/local/hbase/hbase-1.4.13/conf/hbase-jaas.conf文件,其中就是在2.修改habse-env.sh文件中所指向的文件。
内容如下:
Client {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
keyTab="/usr/data/kerberos/keytab/root.keytab"
storeKey=true
useTicketCache=false
principal="hadoop/node@EXAMPLE.COM";
};
4.修改zoo.cfg
另外在zookeeper的配置文件zoo.cfg中加入:
skipACL=yes
按参考文章的说法,如果没有此配置,会出现InvalidACL for /hbase的错误,导致HMaster无法正常启动。
但实际上好像没啥用,此处用处待定。
三、验证
1.启动
start-hbase.sh
要能正常启动,且各节点不掉,不会启动了过一会就掉,出现这种情况就检查下配置
[root@node hadoop]# jps
94561 HMaster #HMaster、hbase
2830 NameNode #nn、hdfs
82193 RunJar
92176 RunJar
94711 HRegionServer #HRegionServer、hbase
3352 ResourceManager #yarn
34104 QuorumPeerMain #zk
4314 RunJar
3228 Secur #即代表了datanode、hdfs
2973 SecondaryNameNode #snn、hdfs
3583 NodeManager #yarn
6879 JobHistoryServer #HistoryServer、yarn
106974 Jps
2.验证
进hbase的操作行:hbase shell
若是没有进行kerberos登录,则会出现报错或者提示未连接;
[root@node conf]# hbase shell
SLF4J: Class path contains multiple SLF4J bindings.
SLF4J: Found binding in [jar:file:/usr/local/hbase/hbase-1.4.13/lib/slf4j-log4j12-1.7.25.jar!/org/slf4j/impl/StaticLoggerBinder.class]
SLF4J: Found binding in [jar:file:/usr/local/hadoop/hadoop-2.7.4/share/hadoop/common/lib/slf4j-log4j12-1.7.10.jar!/org/slf4j/impl/StaticLoggerBinder.class]
SLF4J: See http://www.slf4j.org/codes.html#multiple_bindings for an explanation.
SLF4J: Actual binding is of type [org.slf4j.impl.Log4jLoggerFactory]
HBase Shell
Use "help" to get list of supported commands.
Use "exit" to quit this interactive shell.
Version 1.4.13, r38bf65a22b7e9320f07aeb27677e4533b9a77ef4, Sun Feb 23 02:06:36 PST 2020
hbase(main):001:0> list
TABLE
2020-12-25 13:49:51,889 FATAL [main] ipc.BlockingRpcConnection: SASL authentication failed. The most likely cause is missing or invalid credentials. Consider 'kinit'.
javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)]
at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:211)
at org.apache.hadoop.hbase.security.AbstractHBaseSaslRpcClient.getInitialResponse(AbstractHBaseSaslRpcClient.java:130)
at org.apache.hadoop.hbase.security.HBaseSaslRpcClient.saslConnect(HBaseSaslRpcClient.java:81)
at org.apache.hadoop.hbase.ipc.BlockingRpcConnection.setupSaslConnection(BlockingRpcConnection.java:353)
at org.apache.hadoop.hbase.ipc.BlockingRpcConnection.access$600(BlockingRpcConnection.java:85)
at org.apache.hadoop.hbase.ipc.BlockingRpcConnection$2.run(BlockingRpcConnection.java:455)
at org.apache.hadoop.hbase.ipc.BlockingRpcConnection$2.run(BlockingRpcConnection.java:452)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:422)
at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1746)
at org.apache.hadoop.hbase.ipc.BlockingRpcConnection.setupIOstreams(BlockingRpcConnection.java:452)
at org.apache.hadoop.hbase.ipc.BlockingRpcConnection.writeRequest(BlockingRpcConnection.java:540)
at org.apache.hadoop.hbase.ipc.BlockingRpcConnection.tracedWriteRequest(BlockingRpcConnection.java:520)
at org.apache.hadoop.hbase.ipc.BlockingRpcConnection.access$200(BlockingRpcConnection.java:85)
at org.apache.hadoop.hbase.ipc.BlockingRpcConnection$4.run(BlockingRpcConnection.java:724)
at org.apache.hadoop.hbase.ipc.HBaseRpcControllerImpl.notifyOnCancel(HBaseRpcControllerImpl.java:240)
at org.apache.hadoop.hbase.ipc.BlockingRpcConnection.sendRequest(BlockingRpcConnection.java:699)
.....
省略
.....
若是登录了,才能进行正常操作,登录后重新进入hbase shell:
[root@node conf]# klist
klist: No credentials cache found (filename: /tmp/krb5cc_0)
[root@node conf]# kinit -kt /usr/data/kerberos/keytab/root.keytab root/node
[root@node conf]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: root/node@EXAMPLE.COM
Valid starting Expires Service principal
2020-12-25T13:51:26 2020-12-26T13:51:26 krbtgt/EXAMPLE.COM@EXAMPLE.COM
renew until 2021-01-01T13:51:26
[root@node conf]# hbase shell
SLF4J: Class path contains multiple SLF4J bindings.
SLF4J: Found binding in [jar:file:/usr/local/hbase/hbase-1.4.13/lib/slf4j-log4j12-1.7.25.jar!/org/slf4j/impl/StaticLoggerBinder.class]
SLF4J: Found binding in [jar:file:/usr/local/hadoop/hadoop-2.7.4/share/hadoop/common/lib/slf4j-log4j12-1.7.10.jar!/org/slf4j/impl/StaticLoggerBinder.class]
SLF4J: See http://www.slf4j.org/codes.html#multiple_bindings for an explanation.
SLF4J: Actual binding is of type [org.slf4j.impl.Log4jLoggerFactory]
HBase Shell
Use "help" to get list of supported commands.
Use "exit" to quit this interactive shell.
Version 1.4.13, r38bf65a22b7e9320f07aeb27677e4533b9a77ef4, Sun Feb 23 02:06:36 PST 2020
hbase(main):001:0> list
TABLE
KYLIN_L8OCJV6QTO
KYLIN_OURXTOKFLR
KYLIN_UF00E2GOT9
ext_capacity_stats_live_exception
kylin_metadata
5 row(s) in 0.2040 seconds
=> ["KYLIN_L8OCJV6QTO", "KYLIN_OURXTOKFLR", "KYLIN_UF00E2GOT9", "ext_capacity_stats_live_exception", "kylin_metadata"]
hbase(main):002:0>